Conficker/Downadup

This is turning into big news!

[quote="[], post:, topic:"]
A worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users.

The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.

Although Microsoft released a patch, it has gone on to infect 3.5m machines.

Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch.

[/quote]

Microsoft classifies it as a critical security update, but then the highest number of infected IPs come from countries where piracy is huge and people don't (and can't) apply the updates to Windows because of WGA validation. Although this particular patch is available for download without validation from their website, many people don't know about its availability because they don't use Windows' built in update software. The worm infects XP, Vista, Server and Windows 7 as well.

[quote="[], post:, topic:"]
Downadup worms attempt to call home.

They do this by trying to connect to various Web addresses. And if the worm finds an active Web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines.

They could build a large botnet for example. The framework is in place.

[/quote]

F-Secure did some tracking of the worm and tried to count the number of IPs connecting to their servers; you can read about what they did on their blog post. China (38,277), Brazil, Russia and India top the list of highest number of infected IPs. Pakistan is 27th with 1,655 detected.

Their tracking method is smart, but not very thorough obviously. They've detected only the number of machines that connect to the random domains they own - because the domains are random, there are undoubtedly many more computers that don't even connect to F-Secure's domains. They made a post later to explain how they're estimating the total number of Downadup infections. The estimated total at last count was over 8.9 million computers.

The best thing to do would be to patch Windows! You can download the patch from Microsoft's Download Center - select your OS version from the list of Affected Software at the Security Bulletin (MS08-067, KB958644) if the update hasn't already been installed on your machine.

F-Secure also has a list of thousand domain names that will be used by Conficker from Jan 17th to 31st. You can blacklist those domains, so even if you are infected, the worm will not be able to connect to the malicious domains.

This could turn in to a huge botnet, and if F-Secure's numbers are right, "it would make for one big badass botnet," to put in their own words. Patch, be careful of what you download, sterilise your USB disks and most importantly, try and spread the word around so everyone can get patched as soon as possible.

Links:

Three million hit by Windows worm, BBC News

How big is Downadup, F-Secure

Microsoft Security Bulletin

To blacklist the domains, edit the windows host file. A Google search should turn up appropriate guides.

Update your Antivirus regularly to avoid the virus

what does this worm do? how do we even know we have this worm?

Microsoft's Malware Protection Center has an alert for Conficker with details on what the worm does and how to remove it. More information at the appropriate virus bulletin.

It primarily seems like its preparing the infected computers for a future botnet.

[quote=", post:, topic:"]
According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.

[/quote]

Malicious Software Removal Tool (download link) released by Microsoft monthly can also detect and remove it. MSRT is completely free, fast and does a good job of removing other types of malware too. It doesn't require validation.

I want to download MS08-067 but unable to find it. Please give me a direct link. Microsoft link to t his specific patch will be highly appreciated.

I read on a website:

"In fact these are not two different files. KB958644 means Knowledge Base and ms08-067 means security bullentins. But search both code name on Google to help people i wrote both anyway file name is WindowsXP-KB958644-x86-ENU.exe and size is 634 KB. And here the download links"

SO does it means to say, no need to download ms08-067?

Confiker is a virus reported to be generated on the 1 st of April and generates internet traffic without the knowledge of the users and hence they experience issues like slow browsing. It also restricts access to websites that can help in the removal of the software.

You can directly download the antivirus patch from the following microsoft link

Windows XP: http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03&displaylang=en

Windows Vista: http://www.microsoft.com/downloads/details.aspx?familyid=18FDFF67-C723-42BD-AC5C-CAC7D8713B21&displaylang=en